MilEats Cookie Policy

Version: v1.0 · Effective date: May 24, 2026 · Last updated: April 21, 2026

This policy explains what cookies and similar technologies MilEats uses, why we use them, and how you can control them.

For information about how MilEats collects, uses, and shares personal information more broadly, see our Privacy Policy.

1. What are cookies?

Cookies are small text files that a website or app places on your device (computer, phone, tablet) when you visit. They let the site remember things about your visit, like your preferences or login state, so you don't have to re-enter them each time.

Similar technologies include:

Local storage / session storage. Browser-based storage that works like cookies but can hold more data. We currently do not use local or session storage for tracking purposes.
Pixels / web beacons. Tiny transparent images embedded in pages or emails that confirm whether content was loaded. We do not use pixels or web beacons.
SDKs (software development kits). Code libraries embedded in mobile apps that can collect device and usage information. Our apps use SDKs for analytics (PostHog), authentication (Auth0), and push notifications (Expo Push). Each is disclosed below.
Server logs. Standard access logs generated by our hosting infrastructure (AWS Application Load Balancer access logs to S3, CloudWatch for application logs). These record your IP address, request path, user agent, and timestamp. They are not cookies but are similar technology for the purposes of this policy.

2. Cookie inventory

The table below lists every cookie and similar technology MilEats sets on your device. Cookies from third-party services that operate entirely on their own domains (inside iframes or on their own login pages) are listed separately in §3.

First-party cookies (set on `mileatsdelivery.com` or the MilEats app domain)

Name	Category	Purpose	Duration	Set by
`cookie_consent`	Functional	Remembers your cookie consent preferences so we don't ask you again on every visit.	12 months	MilEats (self-rolled consent banner)
`ph_{project_id}_posthog`	Analytics	PostHog device identifier. Allows PostHog to recognize your device across sessions for product-analytics purposes (page views, feature usage, funnel analysis). Does not identify you by name. PostHog session replay is OFF.	1 year	PostHog JavaScript SDK

What we verified is not set. A codebase and infrastructure audit confirmed:

No session cookies. MilEats uses stateless JWT authentication (token in the Authorization header, validated against Auth0 JWKS). No server-side session is created, so no session cookie is set.
No CSRF cookies. JWT-based authentication is inherently resistant to cross-site request forgery. Cookie-based CSRF tokens are not needed.
No load-balancer cookies. The production Application Load Balancer does not use sticky sessions. If sticky sessions are enabled in a future deployment, this table will be updated before the relevant cookies are set.

Categories explained

Strictly necessary. Required for the site or app to function. These cookies cannot be disabled without breaking core functionality (login, security, routing). We set them without asking for consent because they are essential.
Functional. Improve your experience by remembering preferences. You can disable them, but the site may not remember your choices.
Analytics. Help us understand how people use MilEats so we can improve it. We use PostHog for this purpose. PostHog is configured for product analytics only with no advertising integrations. Analytics cookies are set by default in the U.S. and require your consent in the EU and UK.
Marketing / Advertising. We do not use marketing or advertising cookies. We do not use Meta Pixel, TikTok Pixel, Google Ads conversion tracking, LinkedIn Insight Tag, or any similar advertising technology. If that ever changes, this policy will be updated and your consent will be obtained before any marketing cookie is set.

3. Third-party cookies (not set on our domain)

The following services may set cookies on their own domains when you interact with MilEats. These cookies are governed by the respective service's cookie policy, not ours. They do not land on mileatsdelivery.com and we cannot read or control them.

Service	When cookies are set	Domain	Their cookie policy
Stripe	When the payment form (Stripe Elements iframe) loads during checkout. Stripe sets `__stripe_mid` and `__stripe_sid` on `stripe.com` for fraud prevention.	`stripe.com`	stripe.com/cookie-policy
Auth0	When you are redirected to the Auth0 login page during sign-in. Auth0 sets session cookies on its hosted login domain.	`{tenant}.auth0.com` or custom domain	auth0.com/privacy
Twilio	If you interact with Twilio-proxied phone calls via a web interface (rare; most Twilio interactions are server-to-server and set no cookies).	`twilio.com`	twilio.com/legal/privacy
Better Stack	If you visit our public status page at `status.mileatsdelivery.com`, Better Stack (which operates the status page) may set its own session cookies on that subdomain. These cookies are scoped to the status page only and do not affect your account or the main site.	`status.mileatsdelivery.com` (operated by Better Stack)	betterstack.com/privacy

Why we list these. Even though these cookies are not "ours," EU and UK regulations (ePrivacy Directive Art. 5(3), UK PECR Reg. 6) require us to inform you about all cookies set in connection with our service, including those from third-party iframes, redirects, and subdomains operated by vendors.

Server-side vendors that do not set browser cookies. The MilEats backend services use Sentry (error tracking) and Grafana Cloud (distributed tracing) for observability. Both are server-side SDKs: they send data from our servers to the vendor's ingest endpoint. They do not set cookies on your browser. If they ever started doing so, this Policy would be updated before the change took effect.

4. How we handle consent

In the European Economic Area and United Kingdom

When you visit from the EU or UK, we show a cookie consent banner before setting any non-essential cookies. The banner gives you three choices:

Accept all. Strictly necessary plus functional plus analytics cookies are set.
Reject all. Only strictly necessary cookies are set. No analytics cookies fire.
Preferences. Choose which categories to allow.

We use geo-detection (based on your request's country header) to determine whether to show the banner. If we cannot determine your country, we default to showing the banner (safest assumption).

PostHog SDK initialization is deferred until you grant analytics consent. If you reject analytics cookies, PostHog never loads and no device identifier is created.

The banner does not reappear after you make a choice unless you clear your cookies or visit the preference center. Your consent choice is stored in the cookie_consent first-party cookie for 12 months.

In the United States

Analytics cookies (PostHog) are set by default. You can opt out at any time by:

Clicking the cookie preferences link in the site footer.
Sending a Global Privacy Control (GPC) signal via your browser or a browser extension. We honor GPC as a valid opt-out of analytics tracking under CCPA and CPRA.
Adjusting your browser settings to block cookies (see §6 below).

Withdrawing or changing consent

You can change your cookie preferences at any time:

On the website: click "Cookie preferences" in the footer.
In the app: go to Settings > Privacy > Cookie preferences.
By clearing your cookies in your browser, which resets the consent state.

When you withdraw analytics consent, we stop setting new analytics cookies and instruct PostHog to stop tracking. Existing analytics cookies expire at their normal expiration time or can be cleared manually.

5. Do Not Track and Global Privacy Control

Do Not Track (DNT). There is no industry consensus on how to respond to DNT signals, so we do not currently alter our behavior based on a DNT header. If a standard emerges, we will revisit.

Global Privacy Control (GPC). We do honor GPC. If your browser sends a Sec-GPC: 1 header, we treat it as a request to opt out of analytics cookies and any future sale or sharing of personal information (which we do not do regardless). No further action is needed from you.

6. Browser-level controls

You can also control cookies through your browser settings. Note that blocking all cookies may impair site functionality (for example, you won't be able to stay logged in).

Instructions for major browsers:

Chrome: Settings > Privacy and security > Cookies and other site data
Safari: Settings > Privacy > Manage Website Data
Firefox: Settings > Privacy & Security > Cookies and Site Data
Edge: Settings > Privacy, search, and services > Cookies and site permissions

For mobile browsers, look under your device's browser settings for cookie controls.

7. How often we update this policy

We update this policy when we add, remove, or change a cookie or similar technology. Material changes (adding a new category, or adding cookies from a new vendor) follow the same 30-day advance notice process described in our Privacy Policy §21.

Non-material changes (updating a cookie's duration or correcting a name) are reflected in the table above and the "Last updated" date at the top.

Prior versions are archived at mileatsdelivery.com/legal/cookies/archive/v{n}.

8. Contact

If you have questions about this Cookie Policy or our use of cookies:

Email: privacy@mileatsdelivery.com
Webform: mileatsdelivery.com/legal/dsr
Postal: MilEats LLC, 254 Chapman Rd, Ste 208 #23094, Newark, DE 19702, United States

Change log

Version	Date	Summary
v1.0	2026-04-21	Initial published version. Attorney-reviewed. Effective May 24, 2026 at launch. Cookie inventory confirmed against production deployment (self-rolled consent banner, consent-gated PostHog, no ALB sticky cookies, no CloudFront cookies, no BFF session cookies). Third-party cookie table includes Stripe, Auth0, Twilio, Better Stack. Server-side vendors (Sentry, Grafana Cloud) disclosed as non-cookie technologies. GPC honored globally. Webform path updated to `/legal/dsr`.